Misuse of PGP signatures
Submitted by felix
Assigned to Chris Wilson @ickle
Description
There are a few issues with the .asc files available in https://www.cairographics.org/releases/.
The smaller issue is that they are full signed files, not detached signatures (as is the usual practice). This may sometimes create problems: for example, makepkg from Arch treats all files with .asc and .sig extensions as detached signatures and verifies them automatically. Extracting full signed files is not supported; thus, makepkg can't make use of these files.
The bigger issue is that the signatures they contain are of the SHA-1 sums of packages, not of the packages themselves. SHA-1 is not considered a strong hash function nowadays; moreover, a PGP signature is already basically an encrypted hash, so this practice creates an unnecessary layer of indirection and weakens security guarantees of PGP signing.
In future releases, please create detached signatures of the packages themselves. I figure you'd also want the current latest release to be signed in this way.